[CSAW 2016] Clams Don’t Dance Writeup



Find the clam and open it to find the pearl.

We are given with a file. I ran file command on it to figure it’s file type:

[Megabeets] /tmp/CSAW/clam# file out.img
out.img: x86 boot sector

Ok, we have raw image file which will probably contain file/s with the flag. I’ll show 2 methods, choose your preferred one.

Method 1: Autopsy

Open Autopsy (my favorite forensics software, it’s free and heartily recommended) and choose the “Create New Case” on the Welcome window. You can also create a new case from the “File” menu.


Fill the requested details and press “Finish”. Now add input data source to the case. Click “Case” > “Add Data Source…” or on the “Add Data Source” button (  autopsy_add_data_source ) on the main window and choose our file, out.img.

I cannot teach you about all the features of this great software so I’ll just show the path to the flag. If you’re not familiar with Autopsy I recommend you again to start working with it.

In the right panel you can find plenty of features, I will use only the directory viewer. Clicking on the data source (out.img) will show the files in the main directory of the image.



Do you see it? As it says in the description, we found the clam(.pptx)! The X on it’s icon means that this file was deleted from the  operation system (but not from the disk). Double clicking it and you’ll see bunch of image files, one of them, called image0.gif, is looking like a MaxiCode. Is it?


Scan it either online or offline to reveal the flag. I was scanning it with this site.


Method 2: Foremost

This is less elegant way to solve the challenge. Run foremost on the file:

[Megabeets]$ foremost out.img

You’ll get a folder named output with zip file, movie file and pptx file. Extract the pptx file using 7-zip (PPTX is an archive file), go to the /ppt/media folder and you’ll find the MaxiCode image mentioned before.

[CSAW 2016] Regexpire Writeup



I thought I found a perfect match but she ended up being my regEx girlfriend.

nc misc.chal.csaw.io 8001

It wasn’t so hard, I asked google for the best way to generate matched string to a given pattern and wrote the following script. The only headache was when my generator used newlines (“\n”) so I removed them.

from pwn import *
import rstr
import exrex
from time import sleep
import re

# conect to server
r = remote('misc.chal.csaw.io', 8001)

# Print the question string
print r.recvline()

# Counter

while True:
	# Recieve the regex pattern
    reg = r.recvline()[:-1]
    print "%d -------\n"%i
    print reg
    print "-------\n"
    ans=rstr.xeger(reg).replace('\n','') # Remove newlines!
    # ans=exrex.getone(reg).replace('\n','')  # Another possible option

And after 1000 tests we got the flag: flag{^regularly_express_yourself$}

[CSAW 2016] Coinslot Writeup



#Hope #Change #Obama2008

nc misc.chal.csaw.io 8000

Let’s connect to the server and see what will happen:

[Megabeets] /tmp/CSAW/Coinslot# nc misc.chal.csaw.io 8000
$10,000 bills: 0
$5,000 bills: 0
$1,000 bills: 0
$500 bills: 0
$100 bills: 0

So, the server is displaying a wanted amount of money and we need to calculate the number of bills and coins given the amount. All we need is writing a simple python script and a coffee break because it will take about 10 minutes for the flag to come up 🙁

from pwn import *

r = remote('misc.chal.csaw.io',8000)

# Create an array of dollars and coins values
money = [10000.0, 5000.0, 1000.0, 500.0, 100.0, 50.0, 20.0, 10.0, 5.0, 1.0, 0.5, 0.25, 0.1, 0.05, 0.01]
count = 0

	count += 1
	amount = 0.0
	# Recieve the wanted amount of money
	amount = float(r.recvline()[1:])
	print "Wanted amount is " + str(amount)

	# Send the number of dollars and coins for each value
	for m in money:
		print r.recv()
		ans = int(amount/m)
		print "Sending %d" %ans
		amount = round((amount - (ans*m)), 2)
		print "Left with " + str(amount)
	print "[+] Finished %d" %count
	print r.recvline()


The flag is: flag{started-from-the-bottom-now-my-whole-team-fucking-here}

[CSAW 2016] Kill Writeup



Is kill can fix? Sign the autopsy file?

This challenge was the first in the Forensics category and was very very simple. We are given with what seems like a corrupted pcapng file, I wasn’t able to open it in Wireshark nor Tcpdump. I ran strings on it with a hope to find the flag:

[Megabeets] /tmp/CSAW/kill# strings kill.pcapng | grep -i flag

And to my great surprise I got it, the flag was written plain-text in the file.